Microsoft's newly announced Windows XP vulnerability was first reported by a Google researcher, potentially raising more behind-the-scenes conflict between the two companies. Earlier in June, reports leaked that Google had begun transitioning its employees off Windows, apparently because of security concerns. Some analysts are questioning how these public security revelations will affect the two companies' competitive stance, and whether Microsoft will be negatively affected in the longer term.
Microsoft and Google's recent interactions have analysts questioning whether
the two companies are engaged in indirect battle, using issues such as security
and operating systems to launch broadsides at each other.
On June 1, news leaked that Google was reportedly trying to transition its
employees away from Windows-based systems because of security issues, following
a January security breach that took advantage of an Internet Explorer
vulnerability to steal some of Google's intellectual property.
Google itself declined to confirm those reports, but Microsoft seemed
anxious to counter reports that its flagship Windows platform was excessively
vulnerable.
"There's been some coverage overnight about the security of Windows and
whether or not one particular company is reducing its use of Windows," Brandon
LeBlanc, a spokesperson for Microsoft,
wrote
June 1 on the official Windows blog. "When it comes to security, even
hackers admit we're doing a better job of making our products more secure than
anyone else. And it's not just the hackers; third-party influentials and
industry leaders like Cisco tell us regularly that our focus and investment
[continue] to surpass others."
But speculation quickly arose that Google's alleged Windows ban was not, in
fact, out of security concerns, and instead enacted to clear the way internally
for its cloud-based Chrome OS.
"I have to wonder how much of this is due to competitive drivers versus
genuine desire to secure Google," IDC
analyst Al Hilwa told eWEEK. "After all, Google has operating systems,
browsers, tools and productivity software that [are] head-to-head competitive with
Microsoft, and so this may make sense for them."
Barely had the issue died down, however, before another
Windows-security-related one popped up, with Microsoft forced to issue a June
10 security advisory after Google engineer Tavis Ormandy uncovered a vulnerability
affecting the Windows Help and Support
Center function of both Windows XP
and Windows Server 2003. Other Windows editions were apparently not affected by
the bug.
"Launching the Help and Support Center
via an hcp:// link is normally safe and is a supported way to launch help
content,"
reads
a June 10 post on Microsoft's Research & Defense blog. "This is due in
part to an -allow list' of safe pages that Help and Support
Center checks before navigating to
a passed-in page. The Google security researcher found a help page with a
cross-site scripting vulnerability and also a mechanism by which to abuse the
allow list functionality to access that page with an exploit querystring.
Clicking on a malicious hcp:// link leverages the XSS vulnerability to
circumvent helpctr.exe's safety controls and ultimately run an arbitrary .exe
installed on the machine."
Ormandy reported that he informed Microsoft of the bug June 5.
Nonetheless, he caught his share of flak from IT security professionals
concerned that Ormandy's decision to publish proof-of-concept attack code could
ultimately be used to exploit the vulnerability.
"[Ormandy] used the same process on another bug he discovered earlier this
year," said Andrew Storms,
director
of security operations at nCircle. "You have to wonder if he is adding fuel
to the very public fire between Microsoft and Google by continuing to draw
negative attention to Microsoft's security process."
Google reportedly insists that Ormandy was acting independently, conducting
research into the issue on his own time.
Microsoft is apparently working on a security update that will address the
issue. "It is important to note that customers running Windows Vista, Windows
7, Windows Server 2008 and Windows Server 2008 R2 are not vulnerable to this issue
or at risk of attack," a Microsoft spokesperson, looking on the bright side,
wrote in a June 10 e-mail to eWEEK. "We are not currently aware of any
successful exploits of this activity."
However, the spokesperson added, "Given the public disclosure of the details
of the vulnerability, and how to exploit it, customers should be aware that
broad attacks are likely." As such, "customers running Windows XP and Windows
Server 2003 are encouraged to review and apply the mitigations and workarounds
discussed in Microsoft's Security Advisory."
Given the increased competition between Microsoft and Google-which extends
not only to their respective search engines, but also to smartphone operating
systems-you can see why some observers would interpret these incidents as part
of a larger campaign. But whatever their underlying motives or actions, both
Microsoft and Google seem to anticipate a long battle for market share in their
shared tech segments.
Email
Print
